Retailers Harassed by Backoff Malware

By John P. Mello Jr.
Aug 5, 2014 7:17 AM PT

The U.S. Department of Homeland Security last week sounded an alarm warning retailers of a family of malicious programs aimed at compromising point-of-sale systems. Attackers used such software last year in massive data breaches that nicked millions of consumer records at Target and Nieman Marcus.

Variants of the Backoff family -- capable of scraping memory for data such as credit card information, as well as logging keystrokes and establishing command-and-control communication with an intruder -- have turned up in at least three forensic investigations, according to the department's Computer Emergency Response Team.

Backoff also injects malicious code into Windows Explorer so the malware can be relaunched if it crashes or is forcibly stopped on a system.

"The Backoff point-of-sale malware has multiple components which aren't overly sophisticated, but it does try to hide itself on affected systems and also maintain persistence if a machine is restarted," Jerome Segura, a senior security researcher with
Malwarebytes, told TechNewsWorld.

Common points of entry for the malware are a number of popular remote access programs, according to U.S. CERT Alert (TA14-212A). They include Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMeIn Join.Me.

After brute-forcing access to one of those programs on a system, an attacker will seek to gain control of an administrator or privileged access account and use it to deploy the malware, which siphons consumer payment data from a system.

Remote desktop software is attractive to hackers because if it's cracked, it gives them the same control over a system that its operator has. What's more, it seems that known passwords are being recycled by users of the apps.

Lessons Unlearned

"A few months ago, AlienVault alerted the industry of a botnet that was looking for POS systems connected to the Internet and was brute-forcing Remote Desktop using common usernames for POS devices and vendors because, by default, most POS systems have common usernames and passwords," Jaime Blasco, director of
AlienVault, told TechNewsWorld.

Remote access programs provided by app makers outside an organization, aka the "shadow cloud," also can be troublesome.

For example, employees' adoption of freemium share and sync products created problems for the companies of 84 percent of the IT pros who participated in a recent Harris Interactive survey.

Employees often seek programs that run in the shadow cloud because they feel they need them to improve productivity, and their IT departments aren't offering suitable alternatives.

To limit the risk of compromise, "organizations should educate employees and provide an approved method for remote access," Joe Schumacher, a security consultant at
Neohapsis, told TechNewsWorld.

"What we see are end users who have had their computers compromised by malware, but they aren't just your typical user," observed Malwarebytes' Segura.

"Some of them have access to corporate networks. This makes them a very valuable target for hackers who may realize their custom piece of malware has just struck a gold mine," he explained.

Carriers Abet Hackers

As employees increasingly use their own smartphones to enhance their productivity at work, businesses have sought to protect their data on those devices, as well as on devices they issue to workers, through Mobile Device Management systems. MDM allows a business to send commands to a phone to keep its apps up-to-date, or even to wipe it if it's stolen or lost.

As it turns out, businesses aren't the only ones interested in managing smartphones. Carriers are interested in it, too. Most smartphones contain code that allow carriers to manage the device -- code that possibly could expose phones to hacker attacks.

Many carriers and manufacturers across the phone industry use a device management tool made by a third-party to configure their customers' phones in various ways.

"We found a fairly significant amount of vulnerabilities in the software itself," Mathew Solnik, a researcher for
Accuvant, told TechNewsWorld.

The scheme used to generate the credentials for accessing the software is weak, for example.

"We can precalculate any device's password without any knowledge of the device itself," Solnik said.

Although the software uses encryption for security, it botches that, too.

"We found the software client wasn't properly verifying the remote host names of the servers [it was] talking to, which allowed us to set up a base station and -- between the authentication and encryption vulnerabilities -- have full control over the client.

While the vulnerable software is widespread, attacking it isn't easy.

"This is not something your average phisher could reproduce. The threat scenario to the average user is very, very, very low," Solnik said.

"What we're trying to show," he continued, "is that five to 10 years from now, this may become more common, as knowledge grows and barriers to entry decrease."

Breach Diary

July 29. Canadian officials accuse Chinese hackers of attacking the National Research Council, Canada's leading research body.

July 29. FireEye releases report based on analysis of data from its network of more than 1,200 network appliances around the world, finding 97 percent of organizations have been breached and 25 percent have experienced events consistent with advanced persistent threats.

July 29. Bluebox Security researchers reveal flaw in Android mobile operating system that can be exploited to let malicious apps bypass a sandbox in the system used for security and allow the theft of user credentials and access to payment histories and other sensitive data.

July 30. Russian authorities request Apple and SAP turn over source code for their software products so code can be checked to ensure the privacy of users and the security of government agencies and corporations.

July 31. U.S. District Court Judge Loretta Preska rules warrant to obtain customer data on Microsoft servers in Ireland is valid. Microsoft had argued that warrant issued in United States was not valid on its property in Ireland.

July 31. Symantec finds new Russian-language ransomware Trojan that uses open source encryption algorithms to scramble a computer's files and extort money from its operator.

July 31. U.S. Department of Homeland Security warns retailers of Backoff, a malware program designed to compromise point-of-sale systems. The malicious program is largely undetected by most standard antivirus programs, it says.

July 31. Riverside Health System reports possible data breach putting at risk financial data for some 2,000 patients and all staff of the provider following the arrest of a former employee for stealing credit card information from cancer patients.

July 31. Irish bookmaker Paddy Power reveals data breach in 2010 put at risk the personal financial information of 649,055, or 29 percent, of the company's online customers at the time of the theft.

July 31. Survey of 203 C-level executives by Opinion Matters and ThreatTrack reveals 74 percent of the executives did not agree that CISOs should be part of an organization's leadership team. Nearly half (44 percent) of them agreed that primary role of the CISO was being "accountable for any organizational data breaches."

Aug. 1. President Barrack Obama signs into law bill giving consumers the right to unlock their cellphones.